Cloudflare uses Google Cloud Identity and Access Management (IAM) to gain access to your bucket. The Cloudflare IAM service account needs admin permission for the bucket.
To enable Logpush to GCS:
Create a GCS bucket. See instructions from GCS.
In Storage > Browser > Bucket > Permissions, add the member
email@example.com with Storage Object Admin permission.
Logpush will not work if there is a retention policy on your bucket because this policy prevents overwrites. If you're using the policy to enforce deletion, you can use a lifecycle rule instead. See object lifecycle management from GCS.